CVE-2023-24535

EUVD-2023-1039
Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 58%
Affected Products (NVD)
VendorProductVersion
protobufprotobuf
1.29.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-google-protobuf
bookworm
1.28.1-3
fixed
bullseye
1.25.0+git20201208.160c747-1
fixed
sid
1.33.0-1
fixed
trixie
1.33.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-github-golang-protobuf-1-3
bionic
ignored
focal
dne
jammy
dne
kinetic
dne
lunar
ignored
mantic
ignored
noble
needs-triage
oracular
needs-triage
trusty
ignored
xenial
ignored
golang-github-golang-protobuf-1-5
bionic
ignored
focal
dne
jammy
dne
kinetic
dne
lunar
ignored
mantic
ignored
noble
needs-triage
oracular
needs-triage
trusty
ignored
xenial
ignored
golang-goprotobuf
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
kinetic
ignored
lunar
dne
mantic
dne
noble
dne
oracular
dne
trusty
ignored
xenial
needs-triage
google-guest-agent
bionic
not-affected
focal
not-affected
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
oracular
not-affected
trusty
dne
xenial
not-affected
Common Weakness Enumeration
References
https://github.com/golang/protobuf/issues/1530
https://go.dev/cl/475995
https://pkg.go.dev/vuln/GO-2023-1631
https://github.com/golang/protobuf/issues/1530
https://go.dev/cl/475995
https://pkg.go.dev/vuln/GO-2023-1631